TechSpot

Malware remains after following 8 steps

By JayF
Feb 9, 2011
  1. Hello,

    I am a new user motivated to join by a nasty malware infection. I appreciate the existence of this forum.

    I've followed the 8 steps for removing the System Defrag virus, but issues with redirecting IE and Firefox and malicious popups remain. Below are my logs. I would very much appreciate any help you could give .

    Thanks in advance
    JayF

    (order: DDS, Attach, Gmer, Malwarebytes


    DDS (Ver_10-12-12.02) - NTFSx86
    Run by Jay at 21:35:57.53 on Tue 02/08/2011
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1401 [GMT -8:00]

    AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\IT Connection Manager\SRUserService.exe
    svchost.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    C:\WINDOWS\system32\mqsvc.exe
    C:\WINDOWS\system32\mqtgsvc.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Belkin Storage Manager\StorageManager.exe
    C:\Program Files\Alwil Software\Avast5\avastUI.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Documents and Settings\Owner\Application Data\Dropbox\bin\Dropbox.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Owner\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = about:blank
    uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=pavilion&pf=laptop
    uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
    BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
    BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
    TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
    mRun: [ehTray] c:\windows\ehome\ehtray.exe
    mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
    mRun: [igfxpers] c:\windows\system32\igfxpers.exe
    mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
    mRun: [<NO NAME>]
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
    mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
    mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
    mRun: [Belkin Storage Manager] "c:\program files\belkin storage manager\StorageManager.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
    StartupFolder: c:\docume~1\owner\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\owner\application data\dropbox\bin\Dropbox.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
    IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - c:\program files\winhttrack\WinHTTrackIEBar.dll
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
    Trusted Zone: aplus.net\cp
    Trusted Zone: jayfrenchtherapy.com\www
    DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
    DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1164792322687
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {F4A1DC8A-3D7A-4C28-A5B6-C624B814A702} - hxxps://cp.aplus.net/tools/fileman/FileMan.cab
    DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - hxxp://www.trueswitch.com/TrueInstall.exe
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    Notify: igfxcui - igfxdev.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\lw29fkqb.default\
    FF - prefs.js: browser.search.selectedEngine - Optify Internal
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\lw29fkqb.default\extensions\{0b457caa-602d-484a-8fe7-c1d894a011ba}\platform\winnt_x86-msvc\components\SSSLauncher.dll
    FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
    FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
    FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
    FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
    FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
    FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
    FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
    FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\mozilla firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
    FF - Ext: FireShot: {0b457cAA-602d-484a-8fe7-c1d894a011ba} - %profile%\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}

    ============= SERVICES / DRIVERS ===============

    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-2-8 294608]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-2-8 17744]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2011-2-8 40384]
    R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
    R2 SRUserService;IT Connection Manager;c:\program files\it connection manager\SRUserService.exe [2008-2-27 278672]
    S2 gupdate1c9c5e9ecdfb80a;Google Update Service (gupdate1c9c5e9ecdfb80a);c:\program files\google\update\GoogleUpdate.exe [2009-4-25 133104]
    S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]
    S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5U870CAP.sys [2006-6-6 61952]
    S3 GTwinUSB;GTwinUSB;c:\windows\system32\drivers\GTwinUSB.sys [2004-6-28 61840]
    S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
    S3 OMNUSB;Omnikey AG CardMan 2020 USB Smart Card Reader;c:\windows\system32\drivers\sccmusbm.sys [2006-11-29 23936]
    S3 Samsung UPD Service;Samsung UPD Service;c:\windows\system32\SUPDSvc.exe [2009-3-24 127656]
    S3 ZD1211BU(WLAN);IEEE 802.11g USB Wireless LAN(WLAN);c:\windows\system32\drivers\ZD1211BU.sys [2008-5-6 450560]

    =============== Created Last 30 ================

    2011-02-08 18:15:25 38848 ----a-w- c:\windows\avastSS.scr
    2011-02-08 07:55:17 -------- d-----w- c:\docume~1\owner\applic~1\Malwarebytes
    2011-02-08 07:55:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-02-08 07:55:03 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2011-02-08 07:54:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-02-08 07:54:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-02-08 04:05:51 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2011-02-08 04:05:51 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-01-10 21:06:27 -------- d-sh--w- c:\docume~1\alluse~1\applic~1\System Restore
    2011-01-10 21:06:21 -------- d-----w- c:\program files\Screenshot Studio

    ==================== Find3M ====================

    2010-11-30 01:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-11-30 01:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-11-15 21:00:14 72080 ----a-w- c:\documents and settings\owner\g2mdlhlpx.exe

    ============= FINISH: 21:43:36.40 ===============



    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-12-12.02)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 11/27/2006 9:13:39 AM
    System Uptime: 2/8/2011 9:07:03 PM (0 hours ago)

    Motherboard: Quanta | | 30BB
    Processor: Intel(R) Core(TM)2 CPU T5500 @ 1.66GHz | U2E1 | 1663/667mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 99 GiB total, 50.923 GiB free.
    D: is FIXED (FAT32) - 12 GiB total, 1.371 GiB free.
    E: is CDROM ()

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP751: 11/16/2010 9:36:13 AM - System Checkpoint
    RP752: 12/1/2010 12:06:50 PM - System Checkpoint
    RP753: 12/2/2010 11:25:17 AM - Software Distribution Service 3.0
    RP754: 12/7/2010 2:17:35 PM - System Checkpoint
    RP755: 12/8/2010 4:35:23 PM - Installed QuickTime
    RP756: 12/15/2010 2:33:16 PM - System Checkpoint
    RP757: 12/31/2010 10:28:46 AM - avast! Free Antivirus Setup
    RP758: 12/31/2010 10:49:11 AM - avast! Free Antivirus Setup
    RP759: 1/7/2011 10:11:30 AM - System Checkpoint
    RP760: 1/9/2011 12:39:40 PM - System Checkpoint
    RP761: 1/10/2011 4:15:05 PM - System Checkpoint
    RP762: 1/11/2011 4:53:54 PM - System Checkpoint
    RP763: 1/13/2011 1:04:58 PM - System Checkpoint
    RP764: 1/16/2011 12:02:31 PM - System Checkpoint
    RP765: 1/18/2011 9:15:11 AM - System Checkpoint
    RP766: 2/4/2011 10:15:49 AM - System Checkpoint
    RP767: 2/5/2011 3:40:22 PM - System Checkpoint
    RP768: 2/6/2011 6:41:48 PM - System Checkpoint
    RP769: 2/7/2011 10:18:37 AM - Software Distribution Service 3.0
    RP770: 2/7/2011 11:47:16 AM - Restore Operation
    RP771: 2/7/2011 7:38:05 PM - Software Distribution Service 3.0
    RP772: 2/7/2011 8:01:37 PM - Restore Operation
    RP773: 2/7/2011 8:23:50 PM - Software Distribution Service 3.0
    RP774: 2/7/2011 10:55:47 PM - Removed Skype™ 4.2
    RP775: 2/7/2011 10:57:40 PM - Removed CA eTrust Antivirus
    RP776: 2/8/2011 9:47:42 AM - Restore Operation
    RP777: 2/8/2011 9:57:58 AM - Restore Operation

    ==== Installed Programs ======================


    5600
    5600_Help
    5600Trb
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Photoshop 7.0.1
    Adobe Reader 7.0.5
    AiO_Scan
    AiOSoftware
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Audacity 1.2.6
    AutoUpdate
    avast! Free Antivirus
    Belkin Storage Manager
    BotHunter
    BufferChm
    Camtasia Studio 7
    Cardmod_x86 and MSITPintool
    ColorSchemer Studio 2
    Conexant HD Audio
    CP_AtenaShokunin1Config
    CP_CalendarTemplates1
    cp_LightScribeConfig
    cp_OnlineProjectsConfig
    CP_Package_Basic1
    CP_Package_Variety1
    CP_Package_Variety2
    CP_Package_Variety3
    CP_Panorama1Config
    cp_PosterPrintConfig
    cp_UpdateProjectsConfig
    CueTour
    CutePDF Writer 2.8
    Destinations
    DivX
    DocProc
    Dropbox
    eSupportQFolder
    EZ Vinyl/Tape Converter 1.5.2.0 by MixMeister
    Fax
    FullDPAppQFolder
    GemMaster Mystic
    Google Chrome
    Google Earth
    Google Update Helper
    Google Updater
    GoToMeeting 4.5.0.457
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows Media Player 10 (KB903157)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    HP Help and Support
    HP Image Zone Express
    HP Imaging Device Functions 6.0
    HP Photosmart Premier Software 6.0
    HP PSC & OfficeJet 5.3.B
    HP Quick Launch Buttons 6.10 A2
    HP QuickPlay 2.3
    HP Rhapsody
    HP Solution Center & Imaging Support Tools 5.3
    HP Update
    HP User Guides 0035
    HP Wireless Assistant 2.00 G2
    HPProductAssistant
    HpSdpAppCoreApp
    InstantShareDevices
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) PRO Network Connections Drivers
    IT Connection Manager
    iTunes
    J2SE Runtime Environment 5.0 Update 6
    LightScribe 1.4.97.1
    Macromedia Flash Player 8
    Macromedia Shockwave Player
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 1.0 Hotfix (KB953295)


    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2011-02-08 21:35:15
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 FUJITSU_ rev.892C
    Running: bp7rsc8b.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kwlirpob.sys


    ---- System - GMER 1.0.15 ----

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x9D30382E]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0x9D303652]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0x9D30378C]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) NtCreateSection
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

    AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)

    Device \FileSystem\Fastfat \Fat aswSP.SYS (avast! self protection module/AVAST Software)

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 eabfiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)

    ---- Threads - GMER 1.0.15 ----

    Thread System [4:140] 89EF0A05
    Thread System [4:144] 89EF2A24

    ---- EOF - GMER 1.0.15 ----


    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5709

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    2/8/2011 9:20:55 PM
    mbam-log-2011-02-08 (21-20-55).txt

    Scan type: Quick scan
    Objects scanned: 198770
    Time elapsed: 10 minute(s), 47 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    [​IMG]
    (Image courtesy animationplayhouse.com)
    Welcome to TechSpot, Jay!
    The preliminary steps are just that> a beginning. If you read out text, you will note that they are not meant to find and remove all malware. The System Defragmenter may prevent you from launching any executable on your computer as the program will say they are corrupted. When you attempt to run them it will display the following message:
    System Error!
    Exe file is corrupted and can't be run. Hard drive scan required.
    Scan Hard Drive

    Have you noticed this? You may also be advised of fake problems which 'require' you to purchase the program to remove:>>>Don't take any action on these alerts. There may also be fake alerts from your Windows taskbar> referring to "Critical Errors." Don't take action on any of these scare tactics.

    This usually shows up in Malwarebytes but there is nothing in this log. Did you run Mbam previously and see this malware? If not, how do you know it's on the system?
    ==================================
    I'd like you to remove the following Domains from the Trusted Zone. Nothing needs to be in that zone.
    Trusted Zone: aplus.net\cp
    Trusted Zone: jayfrenchtherapy.com\www

    Access Internet Options from either Tools in IE or the Control Panel> Security tab> Trusted Sites> Sites> Paste or type each in> Click on Remove>> when both have been removed> Click on OK> Apply> OK.
    Sometimes, when a group has an Intranet set up among them, they will set up in the Trusted Zone. But the security is lower in the zone, so it's best to avoid putting anything in it.
    ====================================
    You have one security breach> your Java is way behind for updates and older versions are vulnerabilities to the system. The version you have is v5u6. The current version is v6u23. Please check this site for update.Java Updates Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.You will also need to remove the outdated versions of the Java plug-ins in Firefox.
    =======================================================
    I'll be checking these logs while you run the scans.
    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    ===============================
    Download Combofix to your desktop from one of these locations:
    Link 1
    Link 2
    • Double click combofix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Query- Recovery Console image
      [​IMG]
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes it will open a text window. Please paste that log in your next reply.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    =======================================
    I notice you did two System Restores:
    RP776: 2/8/2011 9:47:42 AM - Restore Operation
    RP777: 2/8/2011 9:57:58 AM - Restore Operation

    Are the logs you left from before or after?
     
  3. JayF

    JayF TS Rookie Topic Starter Posts: 16

    Thank you, Bobbye.

    I will take the steps you suggest. In the meantime, answers to your questions:

    The 2 system restores were prior to following the steps
    I believe the majority of the malware was previously removed by Malwarebytes/Avast. I am no longer getting the system error popups. The issue that remains is that IE and Firefox redirect all searches to random webpages that attempt to download Trojans (now being caught and prevented by avast).

    I will reply again after I have followed your steps (later this evening.)
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The redirects are from malware. Post logs when ready.
     
  5. JayF

    JayF TS Rookie Topic Starter Posts: 16

    I've done the things you suggested, but got hung up on the combotool. The eset scan came out clean (I'll give you the log if you want it)

    Here's what happened with the combotool:

    Tried downloading from the website onto the infected computer -- the download hung.
    I restarted, then downloaded the executable onto another box and transferred it via a flash drive, then ran the executable on the infected computer in safe mode. This worked, but it asked for the system recovery console. I wasn't on line (safe mode), so I aborted this and rebooted into normal mode. The computer blue-screened on reboot. I rebooted again, no blue-screen this time, then tried running the executable again, and got another bluescreen immediately.

    I now apparently need to recover from the combo tool.... Although the computer does restart normally again.

    Appreciate your help thus far and I'm open to further suggestions...
     
  6. JayF

    JayF TS Rookie Topic Starter Posts: 16

    I'm realizing you could probably use a bit more info, so I'm attaching logs below.
    1. The first 2 times I ran Malwarebytes (before I did the 8 steps I ran Malwarebytes twice).
    2. The log from Eset (just ran last night).
    Also, when I ran Avast during the 8 steps, it caught and quarantined 3 files. Do you want the names of those files?

    Re: Combofix, I'm wondering if I should run a system restore to the restore point I created immediately before trying to run it. Will wait for instructions before doing that.

    Here are the logs I mentioned:

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5363

    Windows 5.1.2600 Service Pack 3 (Safe Mode)
    Internet Explorer 8.0.6001.18702

    2/8/2011 12:44:33 AM
    mbam-log-2011-02-08 (00-44-33).txt

    Scan type: Full scan (C:\|D:\|)
    Objects scanned: 315667
    Time elapsed: 47 minute(s), 24 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 1
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\documents and settings\Owner\local settings\Temp\573.exe (Trojan.Downloader) -> Quarantined and deleted successfully.


    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5709

    Windows 5.1.2600 Service Pack 3 (Safe Mode)
    Internet Explorer 8.0.6001.18702

    2/8/2011 6:03:55 AM
    mbam-log-2011-02-08 (06-03-55).txt

    Scan type: Full scan (C:\|D:\|)
    Objects scanned: 322244
    Time elapsed: 43 minute(s), 56 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 1
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 7

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    c:\WINDOWS\system32\cisvfmon.dll (Trojan.Agent) -> Delete on reboot.

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\WINDOWS\system32\cisvfmon.dll (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\documents and settings\Owner\local settings\Temp\1453E8.tmp (Rootkit.Agent) -> Quarantined and deleted successfully.
    c:\documents and settings\Owner\local settings\Temp\tmp33.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{3a579f61-82cf-4117-919a-db7b394cd5bc}\RP768\A0084167.dll (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{3a579f61-82cf-4117-919a-db7b394cd5bc}\RP770\A0085098.dll (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{3a579f61-82cf-4117-919a-db7b394cd5bc}\RP770\A0085100.exe (Rogue.WindowsDisk) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{3a579f61-82cf-4117-919a-db7b394cd5bc}\RP770\A0085101.exe (Trojan.Agent) -> Quarantined and deleted successfully.


    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6419
    # api_version=3.0.2
    # EOSSerial=acf6465bf55dbd47bfcdb1255e01494f
    # end=finished
    # remove_checked=false
    # archives_checked=true
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2011-02-10 06:57:14
    # local_time=2011-02-09 10:57:14 (-0800, Pacific Standard Time)
    # country="United States"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=768 16777215 100 0 3408653 3408653 0 0
    # compatibility_mode=4864 16777215 100 0 0 0 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=135634
    # found=0
    # cleaned=0
    # scan_time=9456
    esets_scanner_update returned -1 esets_gle=53251
    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6419
    # api_version=3.0.2
    # EOSSerial=acf6465bf55dbd47bfcdb1255e01494f
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=true
    # antistealth_checked=true
    # utc_time=2011-02-10 09:40:24
    # local_time=2011-02-10 01:40:24 (-0800, Pacific Standard Time)
    # country="United States"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=768 16777215 100 0 3422456 3422456 0 0
    # compatibility_mode=4864 16777215 100 0 0 0 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=135999
    # found=0
    # cleaned=0
    # scan_time=5444
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Do not do a System Restore!


    Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]

    Then download the full Combofix programs on a flash drive. Install it on the problem computer. If you can run it in Normal Mode with internet connection, it is best to install the Recovery Console. If you cannot do this, don't abort the program, just override the query and click on scan.

    The Eset scan is clean. Mbam show numerous malware entries removed. Now I have to find the remaining entries and remove them. But I need to see the Combofix report so I can set up the script to do that.

    Edit: Just saw your next reply. It would be better if you did not run Avast while we're cleaning>>>
     
  8. JayF

    JayF TS Rookie Topic Starter Posts: 16

    When I try the Combofix uninstall, I get
    "Windows cannot find Combofix"

    I do know that combofix ran though -- it created a C:\Combofix folder that has a mirror of my C drive in it.

    Also, I am not running other cleaning programs etc. I was just reporting what Avast found yesterday when I was going through the 8 steps.

    I'll wait to hear from you for my next move re: combofix.. Thanks for your help.
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, do you have the log from the scan you did? It should be C:\ComboFix.txt. Paste that in for me. Mbam shows the malware in temp files> if you ran TFC or Combofix previously, they should have been removed. The other entries are in the restore points and will be handled later.
     
  10. JayF

    JayF TS Rookie Topic Starter Posts: 16

    No, there's no combofix.txt file.

    There is only a combofix folder on the C:\ drive which contains an exact mirror of
    the drive (see attached image file for a screenshot --- it's kind of freaky).
     

    Attached Files:

  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Yeah it is! When you downloaded Combofix, did you save it to the desktop? Next step would have been to double click on the setup to install.

    Somehow,Combofix has set itself up as a separate drive on the system instead of just a directory. I think that happened in the 'save' process. That why the process can't be found.
     
  12. JayF

    JayF TS Rookie Topic Starter Posts: 16

    I did copy combofix to the desktop. It is possible, though, that I originally ran it from the flash drive I used to transfer the .exe (drive F:). I can't find combofix.txt there either though.
     
  13. JayF

    JayF TS Rookie Topic Starter Posts: 16

    Not sure what to do at this point. I'm looking for some guidance.... I feel like I need to roll back the effects of combofix somehow. Any ideas?

    Thanks in advance
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Can you boot into Normal Mode now and connect to the internet?

    I don't think the uninstall is going to work for Combofix because all you downloaded and installed was the executable. If you can connect, I'd like you to try and start over with Combofix> see if the system will take a new download to desktop, then double click to install.
     
  15. JayF

    JayF TS Rookie Topic Starter Posts: 16

    So I tried combofix again and got a bluescreen right away. The message was:

    Driver_left_locked_pages_in_process

    There's no text file in C:\
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Combofix must have gotten corrupt when you aborted the scan. Please run this:

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :filefind
      combofix.*
      :dir
      C:\Combofix
      :process
      combofix.exe 
      :folderfind
      C:\ComboFix.txt.
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
  17. JayF

    JayF TS Rookie Topic Starter Posts: 16

    Sadly, I can no longer log in to the computer. Apparently the virus has changed the logon password.

    I will try the other accounts, but I'm pessimistic. Any ideas? I'm about to pull the plug on this and wipe the hard drive...
     
  18. JayF

    JayF TS Rookie Topic Starter Posts: 16

    OK. Apparently the virus let me log on today. I think it has a primitive sense of humor. I was able to run systemcheck in safe mode. Here is the log:

    SystemLook 04.09.10 by jpshortstuff
    Log created at 19:22 on 15/02/2011 by Jay
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "combofix.*"
    C:\Documents and Settings\Owner\Desktop\ComboFix.exe --a---- 4267704 bytes [02:19 14/02/2011] [02:19 14/02/2011] D56DED6CD703E2846297FC2D17105483

    ========== dir ==========

    C:\Combofix - Parameters: "(none)"

    ---Files---
    023.dat --a---- 52784 bytes [07:33 10/02/2011] [07:36 10/02/2011]
    023v.dat --a---- 2181 bytes [07:33 10/02/2011] [11:07 27/11/2010]
    023w7.dat --a---- 660 bytes [07:33 10/02/2011] [09:55 13/02/2010]
    AddDriver02 --a---- 0 bytes [07:43 10/02/2011] [07:43 10/02/2011]
    AppData.folder.dat --a---- 387 bytes [07:41 10/02/2011] [07:41 10/02/2011]
    AppDataFile.cfx --a---- 28831 bytes [07:33 10/02/2011] [20:11 10/02/2011]
    AppDataFolder.cfx --a---- 13956 bytes [07:33 10/02/2011] [09:31 10/02/2011]
    appinit.bad --a---- 6760 bytes [07:33 10/02/2011] [16:00 31/08/2000]
    asp.str --a---- 602 bytes [07:33 10/02/2011] [07:09 14/07/2009]
    Assoc.cmd --a---- 4144 bytes [07:33 10/02/2011] [06:11 16/04/2010]
    ATTRIB.cfxxe -ra---- 12288 bytes [07:35 10/02/2011] [00:12 14/04/2008]
    Auto-RC.cmd --a---- 5014 bytes [07:33 10/02/2011] [07:15 06/09/2010]
    av.cmd --a---- 3586 bytes [07:33 10/02/2011] [20:42 13/01/2011]
    av.vbs --a---- 2933 bytes [07:33 10/02/2011] [07:02 16/12/2010]
    AWF.cmd --a---- 659 bytes [07:33 10/02/2011] [09:03 16/11/2009]
    badclsid --a---- 2609048 bytes [07:36 10/02/2011] [07:36 10/02/2011]
    Boot-Rk.cmd --a---- 4807 bytes [07:33 10/02/2011] [10:03 28/01/2011]
    Boot.bat --a---- 8418 bytes [07:33 10/02/2011] [07:54 26/11/2010]
    BootDrv.vbs --a---- 875 bytes [07:33 10/02/2011] [00:55 28/07/2010]
    c.bat --a---- 63180 bytes [07:33 10/02/2011] [07:07 28/01/2011]
    c.mrk --a---- 0 bytes [07:35 10/02/2011] [07:35 10/02/2011]
    Cache.folder.dat --a---- 536 bytes [07:41 10/02/2011] [07:42 10/02/2011]
    Catch-sub.cmd --a---- 1080 bytes [07:33 10/02/2011] [00:45 22/10/2010]
    catchme.cfxxe -ra---- 147456 bytes [07:33 10/02/2011] [01:37 18/04/2009]
    CCS.bat --a---- 91 bytes [07:35 10/02/2011] [07:35 10/02/2011]
    CF-Script.cmd --a---- 29591 bytes [07:33 10/02/2011] [06:06 13/12/2010]
    CF2601.cfxxe -ra---- 389120 bytes [07:35 10/02/2011] [07:33 10/02/2011]
    CFVersionOld --a---- 0 bytes [07:34 10/02/2011] [07:34 10/02/2011]
    CHCP.bat --a---- 16 bytes [07:34 10/02/2011] [07:34 10/02/2011]
    clsid.c --a---- 266950 bytes [07:33 10/02/2011] [20:12 10/02/2011]
    clsid.dat --a---- 710931 bytes [07:36 10/02/2011] [07:36 10/02/2011]
    clsid.hiv --a---- 7987200 bytes [07:36 10/02/2011] [07:36 10/02/2011]
    Combo-Fix.sys --a---- 1024 bytes [07:33 10/02/2011] [07:16 20/08/2010]
    Combobatch.bat --a---- 7733 bytes [07:33 10/02/2011] [08:27 16/11/2010]
    ComboFix-Download.cfxxe -ra---- 141312 bytes [07:33 10/02/2011] [16:00 31/08/2000]
    ConEnv.sed --a---- 3457 bytes [07:42 10/02/2011] [07:42 10/02/2011]
    Cookies.folder.dat --a---- 277 bytes [07:41 10/02/2011] [07:42 10/02/2011]
    Create.cmd --a---- 18215 bytes [07:33 10/02/2011] [22:38 11/01/2011]
    Creg.dat --a---- 537234 bytes [07:33 10/02/2011] [09:28 10/02/2011]
    CregC.cmd --a---- 3342 bytes [07:33 10/02/2011] [11:52 04/10/2010]
    CregC.dat --a---- 472 bytes [07:33 10/02/2011] [01:21 18/04/2010]
    CregC_.dat --a---- 904 bytes [07:36 10/02/2011] [07:37 10/02/2011]
    CSCRIPT.cfxxe -ra---- 135168 bytes [07:35 10/02/2011] [09:07 07/05/2008]
    CSet.cmd --a---- 1686 bytes [07:33 10/02/2011] [05:49 24/12/2009]
    d-delA.dat --a---- 0 bytes [07:36 10/02/2011] [07:36 10/02/2011]
    dd.cfxxe -ra---- 101376 bytes [07:33 10/02/2011] [13:14 23/08/2010]
    ddsDo.sed --a---- 7983 bytes [07:33 10/02/2011] [17:59 25/05/2009]
    DelClsid.bat --a---- 2016 bytes [07:33 10/02/2011] [11:31 04/05/2010]
    Desktop.folder.dat --a---- 220 bytes [07:42 10/02/2011] [07:42 10/02/2011]
    desktop.ini --a---- 113 bytes [07:35 10/02/2011] [07:35 10/02/2011]
    DesktopFile.cfx --a---- 8053 bytes [07:33 10/02/2011] [00:59 09/02/2011]
    DisclaimED.dat --a---- 7 bytes [07:34 10/02/2011] [07:34 10/02/2011]
    DPF.str --a---- 746 bytes [07:33 10/02/2011] [16:00 31/08/2000]
    DrvRun.vbs --a---- 650 bytes [07:33 10/02/2011] [10:44 19/04/2010]
    dumphive.cfxxe -ra---- 51200 bytes [07:33 10/02/2011] [16:00 31/08/2000]
    embedded.sed --a---- 303 bytes [07:33 10/02/2011] [16:00 31/08/2000]
    ERDNT.e_e --a---- 163328 bytes [07:33 10/02/2011] [04:02 21/10/2005]
    ERDNTDOS.LOC --a---- 2815 bytes [07:33 10/02/2011] [16:00 31/08/2000]
    ERDNTWIN.LOC --a---- 3275 bytes [07:33 10/02/2011] [16:00 31/08/2000]
    ERUNT.cfxxe -ra---- 157696 bytes [07:33 10/02/2011] [04:00 21/10/2005]
    erunt.dat --a---- 10 bytes [07:35 10/02/2011] [07:35 10/02/2011]
    ERUNT.LOC --a---- 4090 bytes [07:33 10/02/2011] [16:00 31/08/2000]
    Exe.reg --a---- 14517 bytes [07:33 10/02/2011] [10:37 09/12/2010]
    extract.cfxxe -ra---- 52736 bytes [07:33 10/02/2011] [16:00 31/08/2000]
    FavoriteFolder.cfx --a---- 20 bytes [07:33 10/02/2011] [00:52 06/09/2010]
    Favorites.folder.dat --a---- 230 bytes [07:42 10/02/2011] [07:42 10/02/2011]
    FavoritesFile.cfx --a---- 6483 bytes [07:33 10/02/2011] [07:53 10/02/2011]
    FD-SV.cmd --a---- 8028 bytes [07:33 10/02/2011] [20:29 24/01/2011]
    ffdefstr.dll --a---- 38901 bytes [07:33 10/02/2011] [12:45 30/08/2010]
    FileKill.cfxxe -ra---- 145920 bytes [07:33 10/02/2011] [16:00 31/08/2000]
    files.pif --a---- 3143 bytes [07:33 10/02/2011] [20:12 10/02/2011]
    Fin.dat --a---- 677 bytes [07:33 10/02/2011] [12:32 10/08/2010]
    FIND3M.bat --a---- 31154 bytes [07:33 10/02/2011] [08:26 16/11/2010]
    firefox.exe --a---- 31232 bytes [07:33 10/02/2011] [20:56 20/04/2009]
    FIXLSP.bat --a---- 4777 bytes [07:33 10/02/2011] [00:41 24/10/2010]
    FKMGen.cmd --a---- 1085 bytes [07:33 10/02/2011] [04:41 04/01/2010]
    ForeignWht --a---- 880 bytes [07:35 10/02/2011] [07:35 10/02/2011]
    f_system --a---- 0 bytes [07:37 10/02/2011] [07:37 10/02/2011]
    GetHive.cmd --a---- 5979 bytes [07:33 10/02/2011] [02:02 23/10/2010]
    grep.cfxxe -ra---- 80412 bytes [07:33 10/02/2011] [16:00 31/08/2000]
    gsar.cfxxe -ra---- 15360 bytes [07:33 10/02/2011] [16:00 31/08/2000]
    handle.cfxxe -ra---- 173936 bytes [07:33 10/02/2011] [21:15 18/11/2008]
    hidec.exe --a---- 1536 bytes [07:33 10/02/2011] [09:54 16/08/2005]
    history.bat --a---- 954 bytes [07:33 10/02/2011] [01:25 21/10/2009]
    History.folder.dat --a---- 352 bytes [07:42 10/02/2011] [07:42 10/02/2011]
    hwid.pif --a---- 74529 bytes [07:33 10/02/2011] [08:44 15/07/2010]
    iexplore.exe --a---- 31232 bytes [07:33 10/02/2011] [20:56 20/04/2009]
    image001.gif --a---- 1057 bytes [07:33 10/02/2011] [16:00 31/08/2000]
    Imefile.dat --a---- 224 bytes [07:33 10/02/2011] [15:07 05/09/2010]
    Install-RC.cmd --a---- 8004 bytes [07:33 10/02/2011] [07:15 06/09/2010]
    IntelMatrix.dat --a---- 2 bytes [07:43 10/02/2011] [07:43 10/02/2011]
    Jay.user.cf --a---- 0 bytes [07:36 10/02/2011] [07:36 10/02/2011]
    katch.cmd --a---- 1333 bytes [07:33 10/02/2011] [07:33 25/12/2010]
    Kill-All.cmd --a---- 1695 bytes [07:33 10/02/2011] [02:37 04/10/2010]
    kmd.dat --a---- 14 bytes [07:35 10/02/2011] [07:35 10/02/2011]
    Lang.bat --a---- 215364 bytes [07:33 10/02/2011] [02:19 02/12/2010]
    List-B.bat --a---- 17892 bytes [07:33 10/02/2011] [06:41 10/02/2011]
    List-C.bat --a---- 230968 bytes [07:33 10/02/2011] [07:45 10/02/2011]
    List-D.bat --a---- 111168 bytes [07:33 10/02/2011] [08:28 16/11/2010]
    List.bat --a---- 1439680 bytes [07:33 10/02/2011] [20:11 10/02/2011]
    lnkread.vbs --a---- 3246 bytes [07:33 10/02/2011] [09:49 16/12/2010]
    LocalAppData.folder.dat --a---- 345 bytes [07:42 10/02/2011] [07:42 10/02/2011]
    LocalAppDataFile.cfx --a---- 4302 bytes [07:33 10/02/2011] [00:59 09/02/2011]
    LocalAppDataFolder.cfx --a---- 2902 bytes [07:33 10/02/2011] [05:32 31/12/2010]
    LocalService.dat --a---- 225 bytes [07:33 10/02/2011] [16:00 31/08/2000]
    LocalServiceNetworkRestricted.dat --a---- 91 bytes [07:33 10/02/2011] [16:00 31/08/2000]
    LocalSettings.folder.dat --a---- 118 bytes [07:42 10/02/2011] [07:42 10/02/2011]
    LocalSettingsFile.cfx --a---- 2795 bytes [07:33 10/02/2011] [01:39 10/01/2011]
    LocalSystemNetworkRestricted.dat --a---- 198 bytes [07:33 10/02/2011] [16:00 31/08/2000]
    mbr.cfxxe -ra---- 77312 bytes [07:33 10/02/2011] [14:11 25/10/2009]
    mbr.chk --a---- 2141 bytes [07:33 10/02/2011] [19:30 29/08/2010]
    md5sum.pif --a---- 6528 bytes [07:33 10/02/2011] [20:12 10/02/2011]
    MoveIt.bat --a---- 2834 bytes [07:33 10/02/2011] [21:12 12/10/2010]
    mtee.cfxxe -ra---- 11264 bytes [07:33 10/02/2011] [16:00 31/08/2000]
    MtPt00 --a---- 164 bytes [07:33 10/02/2011] [07:33 10/02/2011]
    Music.folder.dat --a---- 287 bytes [07:42 10/02/2011] [07:42 10/02/2011]
    MWindows.dat --a---- 422 bytes [07:36 10/02/2011] [07:36 10/02/2011]
    mynul.dat --a---- 0 bytes [07:33 10/02/2011] [16:00 31/08/2000]
    n.pif --a---- 31232 bytes [07:33 10/02/2011] [20:56 20/04/2009]
    ncmd.com --a---- 8512 bytes [07:33 10/02/2011] [09:12 25/12/2010]
    ndis_combofix.dat --a---- 283 bytes [07:33 10/02/2011] [00:12 25/12/2009]
    ND_.bat --a---- 64146 bytes [07:33 10/02/2011] [02:21 29/10/2010]
    NetHood.folder.dat --a---- 173 bytes [07:42 10/02/2011] [07:42 10/02/2011]
    netsvc.bad.dat --a---- 520 bytes [07:33 10/02/2011] [02:21 15/04/2010]
    netsvc.dat --a---- 525 bytes [07:33 10/02/2011] [16:00 31/08/2000]
    NetworkService.dat --a---- 88 bytes [07:33 10/02/2011] [16:00 31/08/2000]
    NewCFUser --a---- 2 bytes [07:34 10/02/2011] [07:34 10/02/2011]
    NirCmd.cfxxe -ra---- 31232 bytes [07:33 10/02/2011] [20:56 20/04/2009]
    NircmdB.exe --a---- 31232 bytes [07:33 10/02/2011] [20:56 20/04/2009]
    NirCmdC.cfxxe -ra---- 30720 bytes [07:33 10/02/2011] [20:56 20/04/2009]
    NlsLanguageDefault --a---- 6 bytes [07:34 10/02/2011] [07:34 10/02/2011]
    NT-OS.cmd --a---- 38228 bytes [07:33 10/02/2011] [16:51 28/01/2011]
    NULL --a---- 0 bytes [07:35 10/02/2011] [07:35 10/02/2011]
    OsId.txt --a---- 84 bytes [07:37 10/02/2011] [07:37 10/02/2011]
    OSid.vbs --a---- 977 bytes [07:33 10/02/2011] [16:00 31/08/2000]
    OsVer --a---- 43 bytes [07:33 10/02/2011] [07:33 10/02/2011]
    pausep.cfxxe -ra---- 68096 bytes [07:33 10/02/2011] [21:01 29/09/2002]
    Personal.folder.dat --a---- 242 bytes [07:42 10/02/2011] [07:42 10/02/2011]
    PersonalFile.cfx --a---- 3621 bytes [07:33 10/02/2011] [07:53 10/02/2011]
    PersonalFolder.cfx --a---- 119 bytes [07:33 10/02/2011] [01:40 10/01/2011]
    PEV.cfxxe -ra---- 256512 bytes [07:33 10/02/2011] [23:58 26/04/2010]
    pev.exe --a---- 256512 bytes [07:33 10/02/2011] [23:58 26/04/2010]
    pevb.cfxxe -ra---- 102400 bytes [07:33 10/02/2011] [17:28 28/01/2011]
    Pictures.folder.dat --a---- 302 bytes [07:42 10/02/2011] [07:42 10/02/2011]
    PING.cfxxe -ra---- 17920 bytes [07:35 10/02/2011] [00:12 14/04/2008]
    Policies.dat --a---- 2992 bytes [07:33 10/02/2011] [11:51 06/07/2009]
    powp.dat --a---- 64 bytes [07:33 10/02/2011] [00:57 14/05/2010]
    Prep.inf --a---- 2898 bytes [07:33 10/02/2011] [10:39 09/12/2010]
    PrintHood.folder.dat --a---- 45 bytes [07:42 10/02/2011] [07:42 10/02/2011]
    Profiles.Folder.dat --a---- 375 bytes [07:41 10/02/2011] [07:41 10/02/2011]
    Profiles.Folder.folder.dat --a---- 689 bytes [07:42 10/02/2011] [07:42 10/02/2011]
    ProfilesFile.cfx --a---- 13068 bytes [07:33 10/02/2011] [20:11 10/02/2011]
    ProfilesFolder.cfx --a---- 871 bytes [07:33 10/02/2011] [01:00 09/02/2011]
    progfile.dat --a---- 55028 bytes [07:37 10/02/2011] [07:40 10/02/2011]
    Programs.folder.dat --a---- 280 bytes [07:42 10/02/2011] [07:42 10/02/2011]
    ProgramsFile.cfx --a---- 3968 bytes [07:33 10/02/2011] [15:58 28/01/2011]
    ProgramsFolder.cfx --a---- 13539 bytes [07:33 10/02/2011] [09:06 01/02/2011]
    Purity.dat --a---- 404 bytes [07:33 10/02/2011] [16:00 31/08/2000]
    PV.cfxxe -ra---- 73728 bytes [07:42 03/03/2006] [07:42 03/03/2006]
    pv.com --a---- 73728 bytes [07:33 10/02/2011] [07:42 03/03/2006]
    RCLink.dat --a---- 7478 bytes [07:33 10/02/2011] [16:00 31/08/2000]
    RcLink.dat00 --a---- 94 bytes [07:44 10/02/2011] [07:44 10/02/2011]
    Recent.folder.dat --a---- 169 bytes [07:42 10/02/2011] [07:42 10/02/2011]
    REGDACL.sed --a---- 3558 bytes [07:33 10/02/2011] [16:00 31/08/2000]
    RegDo.sed --a---- 9203 bytes [07:33 10/02/2011] [16:00 31/08/2000]
    region.dat --a---- 1153 bytes [07:33 10/02/2011] [12:03 17/09/2010]
    RegScan.cmd --a---- 53691 bytes [07:33 10/02/2011] [22:58 23/12/2010]
    REGT.cfxxe --a---- 146432 bytes [07:36 10/02/2011] [07:36 10/02/2011]
    Resident.txt --a---- 80 bytes [07:35 10/02/2011] [07:35 10/02/2011]
    restore_pt.dat --a---- 0 bytes [07:37 10/02/2011] [07:37 10/02/2011]
    restore_pt.vbs --a---- 587 bytes [07:33 10/02/2011] [06:26 02/05/2009]
    Rkey.cmd --a---- 442 bytes [07:33 10/02/2011] [13:35 15/11/2009]
    rmbr.cfxxe -ra---- 89088 bytes [07:33 10/02/2011] [09:20 08/11/2010]
    rogues.dat --a---- 820 bytes [07:33 10/02/2011] [16:00 31/08/2000]
    ROUTE.cfxxe -ra---- 19968 bytes [07:35 10/02/2011] [04:00 16/03/2006]
    run2.sed --a---- 287 bytes [07:33 10/02/2011] [16:00 31/08/2000]
    Rust.str --a---- 30 bytes [07:33 10/02/2011] [19:38 10/06/2009]
    s0rt.cfxxe -ra---- 38400 bytes [07:33 10/02/2011] [08:00 11/11/1999]
    safeboot.dat --a---- 329 bytes [07:33 10/02/2011] [16:00 31/08/2000]
    safeboot.def.dat --a---- 1464 bytes [07:33 10/02/2011] [10:25 10/06/2009]
    sed.cfxxe -ra---- 98816 bytes [07:33 10/02/2011] [16:00 31/08/2000]
    SendTo.folder.dat --a---- 169 bytes [07:42 10/02/2011] [07:42 10/02/2011]
    SetEnvmt.bat --a---- 16896 bytes [07:33 10/02/2011] [19:43 09/12/2010]
    SetPath.bat --a---- 5805 bytes [07:38 10/02/2011] [07:42 10/02/2011]
    setpath.cfxxe -ra---- 31014 bytes [07:33 10/02/2011] [16:00 31/08/2000]
    SF.exe --a---- 49152 bytes [22:42 10/06/2006] [22:42 10/06/2006]
    sfx.cmd --a---- 14 bytes [07:34 10/02/2011] [07:35 10/02/2011]
    SnapShot.cmd --a---- 4630 bytes [07:33 10/02/2011] [19:17 14/10/2010]
    SRestore.cmd --a---- 2146 bytes [07:33 10/02/2011] [23:35 21/10/2010]
    srizbi.md5 --a---- 272816 bytes [07:33 10/02/2011] [20:09 10/02/2011]
    StartMenu.folder.dat --a---- 235 bytes [07:42 10/02/2011] [07:42 10/02/2011]
    StartMenuFile.cfx --a---- 4671 bytes [07:33 10/02/2011] [15:58 28/01/2011]
    StartMenuFolder.cfx --a---- 447 bytes [07:33 10/02/2011] [05:20 03/01/2011]
    StartUp.folder.dat --a---- 320 bytes [07:42 10/02/2011] [07:42 10/02/2011]
    StartUpFile.cfx --a---- 8486 bytes [07:33 10/02/2011] [20:11 10/02/2011]
    Start_dat --a---- 2 bytes [07:35 10/02/2011] [07:35 10/02/2011]
    SuppScan.cmd --a---- 19948 bytes [07:33 10/02/2011] [20:34 13/12/2010]
    SvcDrv.vbs --a---- 2176 bytes [07:33 10/02/2011] [16:00 31/08/2000]
    svchost.dat --a---- 555 bytes [07:33 10/02/2011] [16:00 31/08/2000]
    svchost.vista.x64.dat --a---- 749 bytes [07:33 10/02/2011] [21:12 27/11/2010]
    svc_wht.dat --a---- 11987 bytes [07:33 10/02/2011] [14:42 29/11/2009]
    SWREG.cfxxe -ra---- 161792 bytes [07:33 10/02/2011] [16:00 31/08/2000]
    swreg.exe --a---- 161792 bytes [07:33 10/02/2011] [16:00 31/08/2000]
    swsc.cfxxe -ra---- 136704 bytes [07:33 10/02/2011] [16:00 31/08/2000]
    swxcacls.cfxxe -ra---- 212480 bytes [07:33 10/02/2011] [16:00 31/08/2000]
    SysPath.dat --a---- 2064 bytes [07:37 10/02/2011] [07:37 10/02/2011]
    system_ini.dat --a---- 276 bytes [07:33 10/02/2011] [16:00 31/08/2000]
    tail.cfxxe -ra---- 35328 bytes [07:33 10/02/2011] [16:00 10/11/1999]
    temp00 --a---- 101 bytes [07:42 10/02/2011] [07:42 10/02/2011]
    Templates.folder.dat --a---- 94 bytes [07:42 10/02/2011] [07:42 10/02/2011]
    TemplatesFile.cfx --a---- 3465 bytes [07:33 10/02/2011] [07:53 10/02/2011]
    TemplatesFolder.cfx --a---- 62 bytes [07:33 10/02/2011] [05:25 31/12/2010]
    toolbar.sed --a---- 633 bytes [07:33 10/02/2011] [21:26 30/10/2009]
    Update-CF.cmd --a---- 3934 bytes [07:33 10/02/2011] [08:29 22/12/2010]
    VerCF.bat --a---- 279 bytes [07:33 10/02/2011] [07:35 10/02/2011]
    VikPev00 --a---- 2189 bytes [07:42 10/02/2011] [07:42 10/02/2011]
    Vikpev01 --a---- 0 bytes [07:42 10/02/2011] [07:42 10/02/2011]
    VInfo -ra---- 4327 bytes [07:33 10/02/2011] [08:30 17/09/2010]
    VInfo2 --a---- 9823 bytes [07:33 10/02/2011] [00:56 09/02/2011]
    Vipev.dat --a---- 308 bytes [07:33 10/02/2011] [07:30 11/05/2010]
    vistaMcode.dat --a---- 440 bytes [07:33 10/02/2011] [11:17 27/07/2010]
    vun.dat --a---- 7584 bytes [07:33 10/02/2011] [12:05 21/06/2010]
    w7Mcode.dat --a---- 440 bytes [07:33 10/02/2011] [12:20 24/07/2010]
    Wmi_rem.vbs --a---- 1127 bytes [07:33 10/02/2011] [11:38 12/12/2010]
    w_sock.dll --a---- 98948 bytes [07:33 10/02/2011] [22:45 21/06/2009]
    XP.mac --a---- 40 bytes [07:33 10/02/2011] [07:33 10/02/2011]
    xpmcode.dat --a---- 440 bytes [07:33 10/02/2011] [06:14 23/07/2010]
    xpreg.dat --a---- 60049 bytes [07:33 10/02/2011] [07:44 25/11/2010]
    XPSBoot.reg --a---- 13090 bytes [07:33 10/02/2011] [02:41 03/02/2010]
    zDomain.dat --a---- 23773 bytes [07:33 10/02/2011] [16:00 31/08/2000]
    zhsvc.dat --a---- 47404 bytes [07:33 10/02/2011] [07:36 10/02/2011]
    zip.cfxxe -ra---- 68096 bytes [07:33 10/02/2011] [16:00 31/08/2000]

    ---Folders---
    N_ d------ [07:35 10/02/2011]

    ========== process ==========

    combofix.exe - Unable to open process handle.

    ========== folderfind ==========

    Searching for "C:\ComboFix.txt."
    No folders found.
     
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    To verify: you used this term twice: combotool which I am taking to mean Combofix. Is that correct? Please don't shorten or change a program because there is a Combotool.

    I had hoped to find enough valid Combofix Files and have you selectively delete them and then start over with Combofix. It appears that when you aborted out of the program when the Recovery Console Query came up, it corrupted the program. Some of the files had already downloaded at that point. Then you switched modes and use the flash drive for the executable only. It won't uninstall because there is no uninstaller in the program.

    According to the program to find this file, you have the Combofix executable file on the desktop:
    C:\Documents and Settings\Owner\Desktop\ComboFix.exe --a---- 4267704 bytes [02:19 14/02/2011] [02:19 14/02/2011] D56DED6CD703E2846297FC2D17105483.

    IF you can access the internet directly, go back to the download site for Combofix> download the program and save it to your desktop
    IF you still cannot access the internet, use a flash drive> go to the download site for Combofix> download the program, then install it on the problem computer. IF you're offline, just bypass the Recover Console and go to the Scan

    If it possible that there may be an error generated somewhere along the line, but give it a try anyway so we can see what can be done.
     
  20. JayF

    JayF TS Rookie Topic Starter Posts: 16

    Thanks for your patience. In answer to your question, all of my references to "Combotool" were to Combofix.

    I finally had some success with Combofix. On the 4th try, running in Safe Mode.



    Here is the log:

    ComboFix 11-02-21.02 - Jay 02/21/2011 23:38:27.1.2 - x86 MINIMAL
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1747 [GMT -8:00]
    Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
    AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Owner\g2mdlhlpx.exe
    c:\program files\Internet Explorer\SET1FC.tmp
    c:\program files\Internet Explorer\SET220.tmp
    c:\program files\Internet Explorer\SET221.tmp
    D:\Autorun.inf

    .
    ((((((((((((((((((((((((( Files Created from 2011-01-22 to 2011-02-22 )))))))))))))))))))))))))))))))
    .

    2011-02-10 04:05 . 2011-02-10 04:05 -------- d-----w- c:\program files\ESET
    2011-02-10 03:49 . 2011-02-10 03:49 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2011-02-10 03:49 . 2011-02-10 03:49 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-02-10 03:49 . 2011-02-10 03:49 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-02-08 18:15 . 2011-01-13 08:41 294608 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-02-08 18:15 . 2011-01-13 08:37 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-02-08 18:15 . 2011-01-13 08:40 47440 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-02-08 18:15 . 2011-01-13 08:37 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-02-08 18:15 . 2011-01-13 08:40 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2011-02-08 18:15 . 2011-01-13 08:39 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2011-02-08 18:15 . 2011-01-13 08:37 29392 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2011-02-08 18:15 . 2011-01-13 08:47 38848 ----a-w- c:\windows\avastSS.scr
    2011-02-08 18:15 . 2011-01-13 08:47 188216 ----a-w- c:\windows\system32\aswBoot.exe
    2011-02-08 07:55 . 2011-02-08 07:55 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
    2011-02-08 07:55 . 2010-12-21 02:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-02-08 07:55 . 2011-02-08 07:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-02-08 07:54 . 2011-02-08 17:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-02-08 07:54 . 2010-12-21 02:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-02-08 04:05 . 2011-02-08 04:05 -------- d-----w- c:\windows\system32\wbem\Repository

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-11-30 01:38 . 2010-11-30 01:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-11-30 01:38 . 2010-11-30 01:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Owner\Application Data\Dropbox\bin\DropboxExt.13.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Owner\Application Data\Dropbox\bin\DropboxExt.13.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Owner\Application Data\Dropbox\bin\DropboxExt.13.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-22 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-22 118784]
    "MsmqIntCert"="mqrt.dll" [2008-04-14 177152]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-11-03 267048]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-23 185872]
    "High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-07-27 61952]
    "Belkin Storage Manager"="c:\program files\Belkin Storage Manager\StorageManager.exe" [2009-02-04 858624]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]

    c:\documents and settings\Elana\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

    c:\documents and settings\Owner\Start Menu\Programs\Startup\
    Dropbox.lnk - c:\documents and settings\Owner\Application Data\Dropbox\bin\Dropbox.exe [2010-2-25 21979992]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-3-16 113664]

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Vongo Tray.lnk]
    path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Vongo Tray.lnk
    backup=c:\windows\pss\Vongo Tray.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2005-05-12 06:12 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
    2006-05-04 05:58 458752 ----a-w- c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
    2006-07-19 22:14 102400 ----a-w- c:\program files\HP\QuickPlay\QPService.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\WINDOWS\\system32\\mqsvc.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
    "c:\\WINDOWS\\system32\\SUPDSvc.exe"=
    "c:\\Documents and Settings\\Owner\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "c:\\Program Files\\Belkin Storage Manager\\StorageManager.exe"=

    S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2/8/2011 10:15 AM 294608]
    S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/8/2011 10:15 AM 17744]
    S2 gupdate1c9c5e9ecdfb80a;Google Update Service (gupdate1c9c5e9ecdfb80a);c:\program files\Google\Update\GoogleUpdate.exe [4/25/2009 1:08 PM 133104]
    S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
    S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5U870CAP.sys [6/6/2006 12:39 PM 61952]
    S3 GTwinUSB;GTwinUSB;c:\windows\system32\drivers\GTwinUSB.sys [6/28/2004 6:06 PM 61840]
    S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 12:22 PM 34064]
    S3 OMNUSB;Omnikey AG CardMan 2020 USB Smart Card Reader;c:\windows\system32\drivers\sccmusbm.sys [11/29/2006 3:20 AM 23936]
    S3 Samsung UPD Service;Samsung UPD Service;c:\windows\system32\SUPDSvc.exe [3/24/2009 9:45 AM 127656]
    S3 ZD1211BU(WLAN);IEEE 802.11g USB Wireless LAN(WLAN);c:\windows\system32\drivers\ZD1211BU.sys [5/6/2008 11:01 AM 450560]
    .
    Contents of the 'Scheduled Tasks' folder

    2011-01-20 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 20:34]

    2011-02-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-04-25 21:07]

    2011-02-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-04-25 21:07]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    uInternet Settings,ProxyServer = http=127.0.0.1:18810
    uInternet Settings,ProxyOverride = <local>
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
    DPF: {F4A1DC8A-3D7A-4C28-A5B6-C624B814A702} - hxxps://cp.aplus.net/tools/fileman/FileMan.cab
    FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\lw29fkqb.default\
    FF - prefs.js: browser.search.selectedEngine - Optify Internal
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
    FF - Ext: FireShot: {0b457cAA-602d-484a-8fe7-c1d894a011ba} - %profile%\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
    MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.5.0_06\bin\jusched.exe
    AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\Owner\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-02-22 00:04
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-1513858752-1868376869-2513186060-1005\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    Completion time: 2011-02-22 00:19:47
    ComboFix-quarantined-files.txt 2011-02-22 08:19

    Pre-Run: 57,180,925,952 bytes free
    Post-Run: 57,281,015,808 bytes free

    - - End Of File - - FF98FC26A13F3C42EC1FA835F11CC02F
     
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, are you having any noticeable system problems at this point?
    I would like to make you aware of the risk you take with file sharing:

    Dropbox is for Photo and video sharing online. The word 'share' is the operative word here. Just keep in mind that you and the person you share the video or photo with may have 'other' files in the system that will also get 'shared.'
    Note: Even if you are using a "safe" P2P program, it is only the program that is safe.
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • File sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.

    Please read the information on P2P Warning to help you better understand these dangers.
    ===================================
    Question: this are different than what appeared in the DDS log. Have you set them?
    uStart Page = about:blank;
    uInternet SettingsProxyServerr = http=127.0.0.1:18810
    uInternet Settings,[BProxyOverridee
    = <local>[/b]

    Are you able to run the scan in Normal Mode?
     
  22. JayF

    JayF TS Rookie Topic Starter Posts: 16

    Hi, Bobbye

    Just tried going on line.The redirects are still happening. I didn't see any of the other symptoms, but I didn't stay on that long.

    Re: dropbox -- I needed this for my last gig. I will be unsubscribing/purging it as soon as I can. I'm aware of the risks -- I think the likelihood of them infecting me was low .... they were an Apple house, with pretty good security. I hope I haven't infected them.

    Re this:

    uStart Page = about:blank;
    uInternet SettingsProxyServerr = http=127.0.0.1:18810
    uInternet Settings,[BProxyOverridee = <local>[/b]

    I did change the home page to about:blank.
    I did not make the other two changes -- that might be virus activity.

    I will try running the scan in normal mode. If it works I'll attach the log.
     
  23. JayF

    JayF TS Rookie Topic Starter Posts: 16

    Okay -- I tried running Combofix in normal mode 3 times. The first time I got a blue screen immediately. The 2nd time it hung on loading. The 3rd time I rebooted, ran the combofix /uninstall command, which it bluescreened at the end of. Then I tried running combofix again and got another blue screen. I think it's safe to say I can't run it in normal mode.
     
  24. JayF

    JayF TS Rookie Topic Starter Posts: 16

    Also, I investigated the proxy settings -- I think those are old settings left over from a corporate VPN; as far as I know they aren't active any more. I just remover them.
     
  25. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay then- if you can get online, download and run the following program. If you cannot get online, download to flash drive and run on problem computer:
    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • After clicking Next, the utility applies selected actions and outputs the result. Please leave the log.
    • A reboot is required after disinfection.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...